Beibei Zhao created YARN-11382: ---------------------------------- Summary: ClientRMService forget to record some audit logs after accessCheck Key: YARN-11382 URL: https://issues.apache.org/jira/browse/YARN-11382 Project: Hadoop YARN Issue Type: Bug Components: api, RM Affects Versions: 3.3.4 Reporter: Beibei Zhao
ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……"). Here is an example in method "getContainers": {code:java} @Override public GetContainersResponse getContainers(GetContainersRequest request) throws YarnException, IOException { ...... boolean allowAccess = checkAccess(callerUGI, application.getUser(), ApplicationAccessType.VIEW_APP, application); GetContainersResponse response = null; if (allowAccess) { ...... // a logSuccess should be called here. } else { // a logFailure should be called here. throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); } return response; }{code} And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck. I think the requests from users are very critical for auditing and audit logs should be recorded here. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org